The two end points (authenticator and supplicant) must be able to understand and make use of the specific method, but any intermediate devices are only required to know how to process EAP traffic. You said it yourself, "EAP is an authentication framework." EAP defines a framework that provides a standard interface within which entities are free to define their own authentication methods that can provide authentications services in whatever way they see fit within that standard framework. It certainly can be used to provide authentication, but many of the EAP protocols that do make use of TLS only do so to encrypt the traffic between supplicant and server to provide a secure tunnel through which the authentication takes place. TLS actually can do a number of things, but is most commonly used for establishing an encrypted session/tunnel between two end points. TLS provides authentication with the use of certificates on its own. Integrity between two communicating applications. We can conclude that the usage of both will depend on the use case, since EAP is an authentication protocol that typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP, and TLS has a complete different purpose, since the primary goal of the TLS Protocol is to provide privacy and data The key here is not that TLS provides the authentication, but rather that TLS provides encryption (data integrity & privacy) for the authentication protocol. The EAP-TLS Authentication Protocol is just another implementation of an authentication protocol that is integrated with TLS.
Therefore TLS does not enforce authentication, nor it enforces the strict usage of public-key certificates for it. In most modern enterprise scenarios, user authentication is handled by SAML 2.0 or Kerberos/SPNego, and both technologies are used on scenarios where TLS is also used.
Often in TLS scenarios, only the server must be trusted/authenticated by the client, however the client can be anonymous (e.g internet browser).Īn authentication layer can be used with TLS, and both can be completely decoupled from one another. TLS can be used solely to provide encryption (data integrity & privacy) for the data being transferred on the wire, without user authentication mechanisms. However, it is not necessary to use public-key certificates with TLS for authentication. TLS can provide mutual authentication with the use of public-key certificates.
0 kommentar(er)
